It’s been a roller coaster week for Android owners as word got out earlier this week that essentially all (99.7%) Android smartphones are leaking login data for Google services, and could allow other access to information stored in the cloud. This claim was made by German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm. The vulnerability is observed in apps that use the ClientLogin authentication protocol in Android 2.3.3 and earlier. The ClientLogin API is meant to be increase security and performance, because Google’s servers need only check your login information once. Usernames and password are sent once, and thereafter the apps use a token instead.
Lifehacker explains how this vulnerability can be exploited:
Unless your device is one of the 1% with Android 2.3.4, those credentials—for Google Calendar, Twitter, Facebook, and other accounts—are submitted in the clear. This can give attackers access to those accounts if you unwittingly connect to an unencrypted wireless network set up by the attacker.An attacker only needs to set up a Wi-Fi access point with a common SSID name, such as “starbucks” or “attwifi” (an evil twin network), and when your Android phone tries to automatically connect, the hacker can capture the authentication tokens for your accounts.
Then, later in the week, Google announced that it had started rolling out a silent fix. They’ve implemented a server-side patch that will close the security whol for all version of Android. This fix will go out silently, without users having to download or update their apps. The fix should be out by the end of the week, and will force all servers to use an encrypted HTTPS. Obviously, a fix is good for everyone, but it raises concerns about how fast a patch could roll out for a serious security flaw, considering that Google is so reliant on manufacturers and carriers to push out OS updates.
The takeaway here, as a developer, is that it’s important to not rely on an OS for security alone. Both Google and Apple have testified in front of Congress about privacy and their respective platforms. Remember to think about your users and how they value their information. More and more companies are using HTTPS, even Twitter and Facebook have HTTPS features. Privacy and vulnerabilities are serious, hot button issues for the community, so don’t let your app become the next poster child for security issues.